I see a lot of occurences of this comment /* @escapeNotVerified */ in the template files for Magento2.
Does it have a special meaning?
Is there any use for this?
Examples:
Asked
Active
Viewed 1.7k times
76
-
29Hey...Why the downvote? I'm not allowed to ask questions? – Marius Dec 08 '15 at 12:07
2 Answers
108
This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified or @noEscape to pass tests, the latter means that this particular usage has been checked and is safe.
In the future releases all occurrences of @escapeNotVerified will be verified and either marked with @noEscape or escaped with one of these methods:
\Magento\Framework\View\Element\AbstractBlock::escapeHtml\Magento\Framework\View\Element\AbstractBlock::escapeUrl\Magento\Framework\View\Element\AbstractBlock::escapeXssInUrl\Magento\Framework\View\Element\AbstractBlock::escapeQuote
Also note that some output is considered safe and should not be marked with such annotations:
- Enclosed in single quotes
- Enclosed in double quotes but without variables
- Type casting to bool, int
- Method calls which contain 'html' in their names, like
getTitleHtml, are also expected to output escaped HTML
Alex Paliarush
- 13,751
- 5
- 51
- 55
-
3
-
-
-
5At current pace, the replacement will be done approximately 2026 :D – Fabian Schmengler Jan 24 '19 at 08:48
27
I find it in devdocs of Magento2
Static Test
To improve security against XSS injections, a static test XssPhtmlTemplateTest.php is added to dev\tests\static\testsuite\Magento\Test\Php.
This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.
It covers the following cases:
/* @noEscape */before output. Output doesn’t require escaping. Test is green./* @escapeNotVerified */before output. Output escaping is not checked and should be verified. Test is green.
